Employee Monitoring in the Workplace
CS320, Summer 2012
With technology security becoming a large issue in the work place, there is an increase in monitoring employees. Many people feel that their creativity or free-time is becoming squelched by “big brother”. While this may be the case, it is also important to make sure that the company is secure and that they are paying employees to work and not surf the net. A balance needs to be in place with several checks along the way.
In this paper, I will discuss those that are affected by monitoring and some of the concerns each group has. Then I’ll cover a little background information on different ways employees are being monitored and some reasoning that employers give for monitoring. I’ll explain some of the problems associated with monitoring in the work place. Finally I’ll cover some ways employers can find a middle road with some examples from several experts. Ending with my story of creating a new Acceptable Use Policy (AUP) for my school district and my final thoughts
Who and what can be affected by monitoring in the work place
Depending on the company and who and what they deal with on a daily basis, you can have several different stockholders, in other words, people involved with some aspect of the company. The basic and most obvious are of course the Employees for the company as well as the company’s management and if they have any stockholders. There could also be other businesses that work along with the company, the purchasers of products and so forth. In the education system, there is not only the staff and administration, but support staff, like custodians and bus drivers, as well as the students and their parents (customers). You could also include other businesses such as the education agency personnel and teachers from community colleges that teach in a school building. All of these people must be considered. For the sake of time, I will cover the largest and most important group of stockholders: employees and the employers.
With the rapid growth of technology and the Internet in general, employees are ask to work faster, and use more of their free time for work. They take home laptops and cell phones to work on projects. Some employees work from home full or part-time. Many years ago, workers in a factory were monitored by their output and what the manager saw while walking around the plant. With the explosion of technology, the workers are now monitored by computers, video cameras and output sensors. How has this affected their productivity?
In 2002, a survey of 1,000 American workers revealed that 64% used company Internet access for personal use and during working hours. (Mujtaba) Some employees, while concerned with their privacy don’t realize the issues with using their employer’s network. I’ll cover the issues employers have in the next section. There are many workers that see others surfing during work hours, playing games or using corporate email for personal uses.
So many times, it is not explained to the workers in terms they could understand why they should be monitored, what is being monitors and who is looking. Personnel can feel that there are no clear guidelines to what their behavior could do to the network or what would happen to them if caught doing something wrong. Any worker with access to company equipment, such as computers, cell phones, and voicemail, should assume that they are being monitored in some way and act accordingly.
Many companies do not necessarily have written a policy for specific equipment or let staff know that some things are being monitored. The Federal law regarding phone monitoring “regulates phone calls with persons outside the state, does allow unannounced monitoring for business-related calls” (Privacy rights clearinghouse) as seen in the Electronic Communications Privacy Act (ECPA). Some states have other laws on monitoring, but I will not cover individual state laws at this time.
Employees do find that too much security can hinder their job performance. To many passwords to remember can cause post-it notes on the monitor and slower response time as they have to enter in different passwords for different places. Some feel uncomfortable knowing that the employer knows when and how long they spend in the bathroom. Web filters can inhibit research and depending on the protocols for a company could take several hours to days to open up a website that the employee needs to have access too.
Companies have several reasons for employee monitoring. Legal liability and compliance are two very costly reasons for employers to monitor. Guarding against harassment and making sure that they are in agreement with federal law have caused companies to lose money or go bankrupt. There are of course security concerns, theft of data or equipment, which could also be quite costly. They also find that with many workers using equipment for personal use (see the section on Employees) there is a need to monitor productivity. Managers can also use the information to assist them with performance reviews.
Damage to companies could be very extensive. Without protective firewalls, antivirus and Internet blocking software employees could get a virus on a company computer or mobile device. Fear that workers could accidentally or purposely release important data is a huge threat to companies, especially those that have important user data, such as account numbers or credit card information. Network equipment could be unnecessarily used for personal business. With the use of video cameras, theft is prevented or items can be recovered quickly.
Corporations estimate that there could be more than one billion dollars wasted yearly because of staff using work time for non-job related activities. (Mujtaba) By keeping track of employees’ personal phone calls, Internet surfing and emails, they can hold the workers accountable for lost time and money. In 2007 American Management Association and the ePolicy Institute conducted a survey on monitoring and surveillance (AMA). 66% of the companies surveyed monitor the internet connections with 65% using a web filter. 43% of the companies monitored email, either with technology tools (45%) or with manual review (40%). With telephone and voicemail, 43% surveyed recorded time spent and numbers called, while 25% recorded phone conversations and voicemail messages. Video surveillance was at 48% which companies stated was to lessen theft and sabotage. While another 7% used video to track employee performance. For those companies that used Global Satellite Positioning (GPS) , 8% used it to track company vehicles, 3% cell phones and 1% employee smartcards or ID cards.
As you can see, employers feel the need to protect their assets. Weather it is output of a product or protection from liabilities, corporations need to make sure that they are balancing the need to protect the company with the needs of the employees.
Today’s monitoring capabilities and risks
Anything electronic can be monitored. It is best to assume that if an object is owned by a company, they will find ways to monitor it. Phone calls, email, voice mail, laptops and workstations, mobile devices all have the capabilities to be analyzed. In this section, I’ll go over several of these in detail and what some of the risks are associated with monitoring.
With most companies going to Voice-over IP systems (VOIP), it is easier than ever to monitor and store phone calls and voice mail messages. Voicemail can be turned into MP3 files and email to a worker or the manager of that person and stored for later use. This can and has been extremely helpful in he-said-she-said cases on the internal level of companies as well as legal requirements for harassment or theft of data. Users often don’t get a notification every time that states the phone call maybe monitored, but they should assume it is. Although personal phone calls should not be monitored by an employer (See the Electronics Communications Privacy Act, 18 USC 2510, et. seq.) they could be recorded accidentally.
Cell phones also can be monitored. Without a subpoena, companies can see in the phone bill who was called, the date and time of the conversation, and the length of the call. They could also have all voice mail and text messages forwarded to a company email address. Cell phones can also be tracked using GPS, which will be discussed in the GPS section.
Email is a very hot topic among companies and employees. Viruses can be received. Private data can be sent, as well as illegal material and personal messages. The amount of information sent through the network out to the Internet can be costly when considering filters and scanners purchased to protect the business from malicious messages. Businesses also must consider the amount of storage on the email servers and backup equipment needed for the emails and all the attachments.
In Iowa and other states, there is an open records request available for all state government entities, including Universities and public schools. These open records often include emails and other electronic records. Anyone can make a request, but typically newspapers will often enact upon their right to do so. For this purpose and the need to keep information for legal reasons, many companies store backups of all emails sent in and out of the business for many years.
Computer and Internet
There are many reasons to examine what is added to and removed from network/ computer storage and Internet usage. Companies want to avoid illegal downloads of software, music and movies, which could cost them thousands of dollars in fines. The price of storage has gone up in the recent years and having users store personal files, pictures, videos and music could also be costly.
Internet browsing and social media issues can cause harm to the company as well as embarrassment. Managers fear secrets being leaked through social media or Trojan horses installed on workstations through malicious websites. Many policies have been put in place to limit workers on what can be said. Employers hire third-parties to monitor social media and the employees’ activities. In 2010, Teneros began a program calls “Social Sentry” that tracks employee movement on social media. Employers would use the program to” make sure that employees don’t leak sensitive information on social networks or engage in any behavior that could damage a company’s reputation.” (Privacy rights clearinghouse)
Video and audio Monitoring
The largest reason for video surveillance is to deter theft, preserve security and to monitor employee activities. While video monitoring has become very common in the work place, some courts have upheld employee privacy when “has been physically invasive” (Privacy rights clearinghouse), for example a bathroom. Cameras that also record audio also can be subject to laws involving audio, wiretapping, and eavesdropping. There are currently twelve states that require consent of all parties before any audio recording. (Privacy rights clearinghouse)
Global Positioning Services (GPS)
GPS is still a new way of surveillance and many companies either don’t find the need for it or haven’t yet adopted it due to expense. Yet it should be noted that company vehicles use GPS to monitor the location of truckers and verify when items will get to their destination, monitor the speed of the vehicles and make sure that truckers are taking their breaks. Cell phones can also be setup for GPS. Smartcards or electronic ID tags can be programmed for GPS and are used many times by hospitals to find nursing staff quickly. RF (radio frequency) tags can also be attached to equipment, such as laptops and laptop carts. By using wireless access points, the manager or network administrator can find equipment or be notified if equipment is missing.
The Impact on Monitoring
Employees feel entitled to privacy while in the work place, even if it is not being monitored on personal phone calls or when and how frequently they use the bathroom. Employers want to guard against loss of assets, even if that means removing some forms of privacy in the work place. It is important to keep in mind that there are laws that companies need to keep in mind when choosing ways of guarding their property.
Currently there aren’t any federal rulings that regulate businesses on workplace privacy problems. However, the Federal Privacy Act limits “the collection of information and regulates access to information for federal employees and covers private employers who have federal contracts requiring specific recordkeeping obligations” (SHRM). Also the Federal Wiretapping Act and the Electronic Communications Privacy Act halts the “intentional interception or disclosure of any wire, oral, or electronic communication where there is a reasonable expectation of privacy” (SHRM).
In 2010, the New Jersey supreme court ruled that an employer violated the rights on an employee by monitoring her personal Yahoo email sent to her lawyer (Stengart v. LovingCare Agency, Inc., 2010 WL 1189458 (N.J. March 30, 2010)). The court decided that attorney-client privilege should be applied to emails, even if there is a policy in place that private communication should not be sent through company equipment. (Privacy rights clearinghouse) However, in 2011, a California court ruled that emails sent by an employee to an attorney from a work computer where not protected by an attorney-client privilege (Holmes v. Petrovich Development Company, LLC). This was because the employee used a work email account, not a personal email account, the employee had also been told of the business only policy and that the company also monitored its computers. (Privacy rights clearinghouse)
So you can see how confusing states laws can be in circumstances like these. The important thing to note is how the employee went about sending the emails and the policies that were in place at the time. In a 2004 survey, 21% of employers surveyed said that employee email was subpoenaed by courts and 13% battled lawsuits because of employee email. Even though this is a good reason to store email, 65% of the businesses lacked email retention policies and 46% never offered workers email policy training. (The ePolicy Institue, Executive Director Nancy Flynn, e-mail email@example.com)
Many businesses must also weigh their ethical obligations with company security. I’ve discussed some security issues previously (Today’s monitoring capabilities and risks), but we also need to keep in mind some specific acts that federal regulator have added to businesses like hospitals and grade schools. If hospitals fail to comply with the Health Insurance Portability and Accountability Act (HIPAA) or Patient Safety and Quality Improvement Act of 2005 (PSQIA), they could lose federal funding and possibly be forced to close down. The same also applies to school districts and the Family Educational Right and Privacy Act (FERPA) and the Children’s Internet Protection Act, which keep children and their information private from public view.
Finding the Middle Road
With all the issues and problems associated with privacy in the work place, what can be done to protect employees and employers both? Here I will list some thoughts on policy and a couple points of view from Bahaudin Mujtaba from Nova Southeastern University and the American Civil Liberties Union (ACLU). I’ll then add my point of view from my experience of creating an Acceptable Use Policy for my school district.
Code of Ethics and Polices
First, it is important as you can see from the above court cases that a proper policy or code of ethics needs to be in place. Organizations should not only provide a policy, but also train their employees to help them know what is expected of them and when certain personal usage may be appropriate. There should be clear signs that state that business equipment is for business use only. The following is list of things to consider when creating or updating a policy. (McNamara)
- Review laws and regulations of the city, state and federal levels and adhere to them
- Identify values that produce behaviors of highly ethical and successful traits
- Identify values that would address any current issues
- Identify values based on the company’s strengths and weaknesses
- Consider the expectations of all stakeholders in the company
Point of view: Bahaudin G. Mujtaba, Nova Southeastern University
Majtaba pointed out those monitoring employees can be seen as policing, guaranteeing that misuse and stealing doesn’t occur. He states that utilitarianism supports employee monitoring, seeking the “greatest good for the greatest number” (Mujtaba). Companies must make sure that they stay in compliance of any laws and avoid liabilities and theft, as well as verifying time and resources workers may be using to continue to be successful. He commented on the cost of human and financial resources due to unethical acts such as lawsuits employee morale and a bad public image of the business. This misuse of an organization could lead to major losses.
Point of view: American Civil Liberties Union
The ACLU believe that the following changes should be made to the ECPA: (American Civil Liberties Union)
- “Robustly Protect All Personal Electronic Information.” The ACLU wants to make sure that all electronic communication gets full warrant protection.
- “Safeguard Location Information.” The ACLU believes that the government should have to obtain a warrant before accessing a person’s personal cell phone information.
- “Institute Appropriate Oversight and Reporting Requirements.” They believe there should be an extension for wiretapping orders to include all types of surveillance.
- “Require suppression Remedy.” Requiring the same rules to apply for electronic information and non-electronic information as it is used for court cases.
- “Craft Reasonable Exceptions.” Records should only be view in emergencies and only with informed consent and notification.
In my experience as an Information Technology Director of a mid-sized (2100 students and 500 staff) school district, I’ve had to learn quite a bit about Acceptable Use, FERPA, and CIPA. To remain in compliance with CIPA, I had to initiate a review of our Acceptable Use Policy that was currently in place and was extremely out of date.
Keeping in mind the information I’ve listed above, I called together several groups of stakeholders to create a committee to edit the policy. I had requested, just to name a few, instructors, associates, food service personnel and administration as well as students and parents. Unfortunately, I got a few teachers and a student that saw the importance of the task. Looking back, I think requesting a mandatory group through the Superintendent would have made the committee better rounded with all parties.
The first task was to read through the old policy and then we noted any changes that should be made, wording that needed up-dated to include terms such as social media and mobile phones. We discussed in depth the opt-in for students and parents in regards to Internet Privileges and wanted to make it an opt-out instead as many students forged parent signatures and it was difficult to have to check each student every time they wanted to use a computer. We only had a few students that parents didn’t want them on the computers and it would be easier to have a list of them in the computer labs and make the teachers responsible for altering any assignments.
Once we had finished our changes to the policy, we submitted it to the superintendent who passed it on to the lawyer. He made a few changes, recommending we not change the opt-in policy for Internet Privileges as it would be harder to hold up in case of a legal issue. Finally, we submitted it to the school board who then approved of the changes and our work was complete.
Monitoring in a school district is extremely difficult. We needed to protect students of all ages as well as adults, who should be offered more freedom. Using a special web filter we decided to filter heavily on the elementary students and then lighten a bit on the middle school and finally a bit more for the high school students. Our teachers were filtered for porn, malicious web sites and downloading of software. We restricted the streaming video and also gave students and staff a web page to go to when they needed a website opened from the filter.
Due to cost of storage, at the time, we saved very little of our email, and video (2-4 weeks of data max), but had plans to store more in the future. There were several times when video surveillance caught theft, damage to property and to people and was used against people in court. At the time of my working for the district we had video systems in the middle school and high school, but, due to their success in protecting assets, we were looking at adding video cameras at the elementary schools as well.
I believe there needs to be a clear understanding to all stockholders on the need to behave professionally and ethically. Monitoring should not be used as the only source to prevent loss, but people that work for or with the company should be held to a high standard. Privacy must be respected and should always be considered when monitoring and policies are put in place. Workers should understand the policies and what the intent of monitoring is for. There should also be annual reviews of policies to make sure changes are made when new issues or technologies arise.
In review, I’ve discussed two points of view of two major stockholders of company monitoring, employees and employers, stating reasons for monitoring and against it. Different types of monitoring with their pros and cons where also listed. Followed by some of the issues, including recent court cases, that monitoring has caused and prevented. Finally, I gave a couple separate view points and added my own experience and thoughts on employee monitoring.
The important thing to keep in mind is that there needs to be open communication between manager and worker when it comes to monitoring. Employees must be aware of what is being monitored, what is expected of them and what the monitoring is for. Employers must have a set of clearly defined rules in place and should be held accountable to make sure the workers understand the needs for monitoring. Monitoring should be used as a protective measure and should not be used as the ethical police.
AMA. 2007 electronic monitoring & surveillance survey. 28 Feb 2008. 20 Jul 2012. <http://press.amanet.org/press-releases/177/2007-electronic-monitoring-surveillance-survey/>.
American Civil Liberties Union. Modernizing the electronic communications privacy act. 12 Oct 2011. 21 Jul 2012. <http://www.aclu.org/technology-and-liberty/modernizing-electronic-communications-privacy-act-ecpa>.
Baase, S. A Gift Of Fire, Social, Legal, And Ethical Issues For Computing And The Internet. 3rd. Upper Saddle River NJ: Prentice Hall, 2008.
Cornell University. 18 USC Chapter 119 – WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND INTERCEPTION OF ORAL COMMUNICATIONS. n.d. 23 Jul 2012. <http://www.law.cornell.edu/uscode/text/18/part-I/chapter-119>.
McNamara, C. Complete Guide to Ethics Management. Ed. D. Gebler. 23 Jan 2003. 20 Jul 2012. <http://managementhelp.org/businessethics/ethics-guide.htm>.
Mujtaba, B. Ethical Implications of Employee Monitoring: What Leaders Should Consider. n.d. Journal of applied management & entreprenuership. http://www.huizenga.nova.edu/Jame/articles/employee-monitoring.cfm. 20 Jul 2012.
Privacy rights clearinghouse. Fact sheet 7: Workplace privacy and employee monitoring. 2011. 20 Jul 2012. <https://www.privacyrights.org/fs/fs-7work.htm>.
SHRM. “Workplace Monitoring Laws.” 23 May 2012. Society for human resource management. 20 Jul 2012. <http://www.shrm.org/legalissues/stateandlocalresources/stateandlocalstatutesandregulations/documents/state%20surveillance%20and%20monitoring%20laws.pdf>.
The ePolicy Institue, Executive Director Nancy Flynn, e-mail firstname.lastname@example.org. 2004 Survey on Workplace E-Mail and IM Reveals Unmanaged Risks. 2002, 2003. 20 Jul 2012. <http://www.epolicyinstitute.com/survey/index.asp>.